28-3
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 28 Using Protection Tools
Configuring TCP Options
• Timeout—Display only. Displays the number of seconds to wait for an entire fragmented packet to
arrive. The timer starts after the first fragment of a packet arrives. If all fragments of the packet do
not arrive by the number of seconds displayed, all fragments of the packet that were already received
will be discarded. The default is 5 seconds.
• Threshold—Display only. Displays the IP packet threshold, or the limit after which no new chains
can be created in the reassembly module.
• Queue—Display only. Displays the number of IP packets waiting in the queue for reassembly.
• Assembled—Display only. Displays the number of IP packets successfully reassembled.
• Fail—Display only. Displays the number of failed reassembly attempts.
• Overflow—Display only. Displays the number of IP packets in the overflow queue.
Configuring TCP Options
The Configuration > Firewall > Advanced > TCP Options pane lets you set parameters for TCP
connections.
Fields
• Inbound and Outbound Reset—Sets whether to reset denied TCP connections for inbound and
outbound traffic.
–
Interface—Shows the interface name.
–
Inbound Reset—Shows the interface reset setting for inbound TCP traffic, Yes or No. Enabling
this setting causes the ASA to send TCP resets for all inbound TCP sessions that attempt to
transit the ASA and are denied by the ASA based on ACLs or AAA settings. Traffic between
same security level interfaces is also affected. When this option is not enabled, the ASA silently
discards denied packets.
–
Outbound Reset—Shows the interface reset setting for outbound TCP traffic, Yes or No.
Enabling this setting causes the ASA to send TCP resets for all outbound TCP sessions that
attempt to transit the ASA and are denied by the ASA based on ACLs or AAA settings. Traffic
between same security level interfaces is also affected. When this option is not enabled, the
ASA silently discards denied packets.
–
Edit—Sets the inbound and outbound reset settings for the interface.
• Other Options—Sets additional TCP options.
–
Send Reset Reply for Denied Outside TCP Packets—Enables resets for TCP packets that
terminate at the least secure interface and are denied by the ASA based on ACLs or AAA
settings. When this option is not enabled, the ASA silently discards denied packets. If you
enable Inbound Resets for the least secure interface (see TCP Reset Settings), then you do not
also have to enable this setting; Inbound Resets handle to-the-ASA traffic as well as through the
ASA traffic.
–
Force Maximum Segment Size for TCP—Sets the maximum TCP segment size in bytes,
between 48 and any maximum number. The default value is 1380 bytes. You can disable this
feature by setting the bytes to 0. Both the host and the server can set the maximum segment size
when they first establish a connection. If either maximum exceeds the value you set here, then
the ASA overrides the maximum and inserts the value you set. For example, if you set a
maximum size of 1200 bytes, when a host requests a maximum size of 1300 bytes, then the ASA